Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Bug in HP Remote Management Tool Leaves Servers Open to Attack

Firmware versions of HPE’s remote management hardware iLO3 have an unauthenticated remote denial of service vulnerability.

Hewlett Packard Enterprise has patched a vulnerability in its remote management hardware called Integrated Lights-Out 3 that is used in its popular line of HP ProLiant servers. The bug allows an attacker to launch an unauthenticated remote denial of service attack that could contribute to a crippling on vulnerable datacenters under some conditions.

The vulnerability (CVE-2017-8987) is rated “high severity”, with a CVSS base score of 8.6, and was discovered by Rapid7 researchers in September. HPE publicly reported the bug on Feb. 22 and has made patches available.

Affected is the v1.88 firmware for HPE’s Integrated Lights-Out 3 (iLO3). Not impacted are newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55). iLO5 devices were not tested, according to a Rapid7 technical brief on the vulnerability written by Sam Huckins, the company’s program manager.

The Hewlett-Packard iLO is an embedded server management technology for ProLiant servers that consists of a physical card with a separate network connection. It allows system administrators to remotely manage servers.

“An attacker who has already compromised a network can now can easily lock out an admin from fixing or mitigating against an attack,” said Tod Beardsley, Rapid7’s research director. “An attacker can use this to make a data center go dark and keep it that way by locking out remote management and mitigation.” Alternatively, system administrators will have to tackle on-premises fixes.

According to Beardsley, an attacker sharing the same network as a vulnerable iLO3 can simply send several HTTP requests and cause the iLO3 device (running firmware v1.88) to stop responding for up to 10 minutes.

One of those examples includes using a Secure Socket Shell where an “open sessions will become unresponsive; new SSH sessions will not be established.” In another scenario with a web portal “users cannot log into the web portal; the login page will not successfully load,” according to Rapid7.

Where as HTTP GET and POST requests are benign, curl -X OPTIONS request to an iLO3 device can trigger the DoS condition. “Any method requested other than GET or POST will trigger the DoS, even invalid ones,” Beardsley wrote. “Ten minutes after the DoS is triggered, the watchdog (automatic system recovery) service restarts the device.”

“An attack doesn’t require authentication. The device itself requires some kind of authentication, such as a web portal that you use to like login. But this attack comes in before that. The attack is literally just an HTTP command,” Beardsley said.

According to Rapid7, HP’s Integrated Lights-Out is not on by default, which likely disqualifies many ProLiant from the vulnerability.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.